NATIONAL ARCHIVES AND RECORDS ADMINISTRATION 



WISOO 




INFORMATION SECURITY 
OVERSIGHT OFFICE 



2013 



' Report to the President 





Authority 



• Executive Order (E.O.) 13526, “Classified National Security Information” 

• E.O. 12829, as amended, “National Industrial Security Program” 

• E.O. 13549, “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities” 

• E.O. 13556, “Controlled Unclassified Information” 

• E.O. 13587, “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing 
and Safeguarding of Classified Information” 

The Information Security Oversight Office (ISOO) is a component of the National Archives and Records 
Administration (NARA) and receives its policy and program guidance from the Assistant to the President for 
National Security Affairs. 



We support the President by ensuring that the Government protects and provides proper access to information to 
advance the national and public interest. We lead efforts to standardize and assess the management of classified and 
controlled unclassified information through oversight, policy development, guidance, education, and reporting. 



• Develop implementing directives and instructions. 

• Review and approve agency implementing regulations. 

• Maintain liaison relationships with agency counterparts and conduct on-site and document reviews to monitor 
agency compliance. 

• Develop and disseminate security education materials for Government and industry; monitor security educa- 
tion and training programs. 

• Receive and take action on complaints, appeals, and suggestions. 

• Collect and analyze relevant statistical data and, along with other information, report them annually to 
the President. 

• Serve as spokesperson to Congress, the media, special interest groups, professional organizations, and the public. 

• Conduct special studies on identified or potential problem areas and develop remedial approaches for 
program improvement. 

• Recommend policy changes to the President through the Assistant to the President for National Security Affairs. 

• Provide program and administrative support for the Interagency Security Classification Appeals Panel (ISCAP). 

• Provide program and administrative support for the Public Interest Declassification Board. 

• Review requests for original classification authority from agencies. 

• Serve as Executive Agent to implement E.O. 13556 and oversee agency actions. 

• Chair the National Industrial Security Program Policy Advisory Committee (NISPPAC) under E.O. 12829, 
as amended. 

• Chair the State, Local, Tribal, and Private Sector Policy Advisory Committee under E.O. 13549. 

• Serve as member of the Senior Information Sharing and Safeguarding Steering Committee under E.O. 13587. 



• Promote programs for protection of classified and controlled unclassified information. 

• Reduce classification and control activity to the minimum necessary. 

• Ensure that the systems for declassification and decontrol operate as required. 

• Provide expert advice and guidance to constituents. 

• Collect, analyze, and report valid information about the status of agency programs. 



ISOO’s l Mission 



functions 




' 'Letter to the 'President 

June 2, 2014 

The President 
The White House 
Washington, DC 20500 

Dear Mr. President: 

I am pleased to submit the Information Security Oversight Office’s (ISOO) Report for Fiscal Year 2013, as required by 
Executive Order 13526, “Classified National Security Information” (the Order). 

This report provides statistics and analysis of the system of classification and declassification based on ISOO’s review of 
Departments’ and Agencies’ programs. It also contains the status of agency self-assessment reporting, the cost of security 
classification activity, and the National Industrial Security Program. 

I have also incorporated the required annual report on the development of the Controlled Unclassified Information pro- 
gram into this report. ISOO fulfills Executive Agent (EA) responsibilities for the Controlled Unclassified Information (CUI) 
Program, which were designated by Executive Order 13556 to the National Archives and Records Administration. During 
the past year, as EA, ISOO successfully advanced its policy development strategy, worked with the Office of Management 
and Budget to issue guidance for the Executive branch on submission of information types as CUI categories, established a 
CUI Advisory Council to improve consultative functions, and is currently completing a draff implementing directive. When 
the directive is incorporated into the Code of Federal Regulations, the EA plans to issue a National Implementation Plan for 
the Executive branch, providing a timeline detailing phases of implementation for all agencies. 

With regard to its oversight of Classified National Security Information, ISOO continues to develop and refine its ability 
to monitor agency efforts to perform self-assessment of their classified information programs. The agency self-inspection 
reports were much more responsive in this, the third year of detailed reporting required by E.O. 13526. This improvement is 
due, in large part, to the use of a new reporting form. Further improvement is needed in the quality of the reports from some 
agencies. ISOO will continue to use the self-inspection reporting process and its on-site assessment authority to prompt 
agencies to evaluate and improve their classified national security information programs. 

The Interagency Security Classification Appeals Panel continued adjudicating declassification appeals and posting the 
decisions on a publicly available website. The growing collection of over 250 documents now online fulfills the Order’s 
requirement that the Panel inform senior agency officials and the public of its decisions on mandatory declassification 
review appeals and classification challenges. This tool also helps agencies to conduct more consistent and accurate declassifi- 
cation reviews. 

The National Industrial Security Program Policy Advisory Committee (NISPPAC) made meaningful improvements in the 
areas of personnel security clearances and certification and accreditation of information systems. The NISPPAC contin- 
ues to ensure the requirements for the protection of classified information by the private sector are consistent with those 
established by the Order. ISOO continues its role on the Senior Information Sharing and Safeguarding Steering Committee, 
leading efforts to incorporate the requirements of the National Insider Threat Policy, and related responses to unauthorized 
disclosures, into the National Industrial Security Program policy and guidance. 

Lastly, ISOO joined with its Federal security partners as a member of the Office of Management and Budget-led Suitability and 
Security Processes Review, which made recommendations critical to the efforts to reform security clearance and related pro- 
cesses. Not only did this leverage ISOO’s long history of involvement in these matters and its role in overseeing and ensuring the 
viability and accountability of cleared contractors in the clearance process, but it dovetailed with my own experience leading 
related efforts at clearance reform in the Executive branch. ISOO is poised to continue its support to these and future reforms. 



Respectfully, 
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Summary ofFY 2013 Trogram Activity 



Classification 

E xecutive branch agencies reported 
2,269 original classification 
authorities (OCA), down from 2,326 
reported in FY 2012. 

Agencies reported 58,794 original 
classification decisions, a decrease of 
20 percent. 

Agencies reported using the ten- 
years-or-less declassification 
instruction for 61 percent of original 
classification decisions. 

Executive branch agencies reported 
80,124,389 derivative classification 
decisions; a 16 percent decrease from 
FY 2012. 

Declassification 

Agencies received 9,521 initial man- 
datory declassification review (MDR) 



requests and closed 6,477 requests. 
The average number of days to resolve 
each request is 175. A total of 8,749 
requests have remained unresolved 
for over one year. This number 
includes requests that have been car- 
ried over from prior years. 

Agencies reviewed 1,122,502 pages 
under MDR, and declassified 
943,035 pages in their entirety, 
declassified 150,857 pages in part, 
and retained classification of 28,610 
pages in their entirety. 

Agencies received 440 MDR appeals 
and closed 311 appeals. The average 
number of days to resolve each appeal 
is 186. A total of 326 appeals have 
remained unresolved for over one year. 

Agencies reviewed 33,390 pages on 
appeal, and declassified 26,243 pages 
in their entirety, declassified 4,483 



pages in part, and retained classifica- 
tion of 2,664 pages in their entirety. 

Under automatic declassification, 
agencies reviewed 52,470,623 pages 
and declassified 25,771,199 pages of 
historically valuable records. 

Under systematic declassification 
reviews, agencies reviewed 6,515,055 
pages, and declassified 1,697,472 pages. 

Under discretionary declassification 
reviews, agencies reviewed 346,351 
pages, and declassified 55,671 pages. 

Under automatic, systematic, and 
discretionary declassification reviews, 
a total of 59,332,029 pages were 
reviewed for declassification and 
27,524,342 pages were declassified. 



Classification 



Original Classification 
Authorities 

O riginal classification authorities, also 
called original classifiers, are those 
individuals designated in writing, either by 
the President, by selected agency heads, or 
by designated senior agency officials with 
Top Secret original classification authority, to 
classify information in the first instance. Only 
original classifiers are authorized to determine 
what information, if disclosed without 
authorization, could reasonably be expected 
to cause damage to national security Original 
classifiers must be able to identify or describe 
the damage. Agencies reported 2,269 OCAs in 
FY 2013; a 2 percent decrease from the 2,326 
reported in FY 2012. 



Original Classification Authorities, FY 2013 

2.500 

2,000 

1.500 

1,000 

500 
0 

Top Secret Secret Confidential TOTAL 




Number of Original Classification Authorities, FY 1980 - FY 2013 



8,000 




2 ■ INFORMATION SECURITY OVERSIGHT OFFICE 



2.269 



By definition, original classification precedes all 
other aspects of the security classification system, 
including derivative classification, safeguarding, 
and declassification. 



Original Classification 

Original classification is a determi- 
nation by an OCA that information 
owned by, produced by or for, or under 
the control of the U.S. Government 
requires protection because unautho- 
rized disclosure of that information 
could reasonably be expected to cause 
damage to the national security. 

The process of original classification 
must always include a determination 
by an OCA of the concise reason for 
the classification that falls within one 
or more of the authorized categories 
of classification, the placement of 
markings to identify the information 
as classified, and the date or event 
when the information will become 
declassified unless it is appropriately 
referred, exempted, or excluded from 



automatic declassification. By defini- 
tion, original classification precedes 
all other aspects of the security clas- 
sification system, including derivative 
classification, safeguarding, and 
declassification. It will be noticed that 
some large agencies report very few 
original classification decisions. This 
is in large part due to the fact that 
their classification guides are com- 
prehensive and therefore the bulk of 
their classification activity is deriva- 
tive classification. 

The agencies reported 58,794 original 
classification decisions for FY 2013, 
using the ten-year-or-less declassifica- 
tion instruction 61 percent of the time. 

The agencies also reported a decrease 
of original classification decisions by 
20 percent during FY 2013. 



Original Classification Activity, FY 2013 
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Original Classification Activity, FY 1989 - FY 2013 
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Use of the "Ten Years or Less" Declassification Category, FY 1996 - FY 2013 




Derivative Classification 

Derivative classification is the act of 
incorporating, paraphrasing, restating, 
or generating in new form information 
that is already classified. Information 
may be derivatively classified in two 
ways: (1) through the use of a source 
document, usually correspondence or 
a publication generated by an OCA; or 
(2) through the use of a classification 
guide. A classification guide is a set of 
instructions issued by an OCA which 
identify elements of information 
regarding a specific subject that must 
be classified and establish the level and 
duration of classification for each such 
element. Classification guides provide 
consistency and accuracy to classifica- 
tion decisions. 

Derivative classification actions utilize 
information from the original cate- 
gory of classification. 



Every derivative classification action 
is based on information where classi- 
fication has already been determined 
by an OCA. Derivative classification 
decisions must be traceable to the 
original classification decision made 
by an OCA. 

Agencies reported a total of 80.12 mil- 
lion derivative classification decisions 
in FY 2013, a decrease of 16 percent 
from FY 2012. Although we can not 
pinpoint a single cause for this decrease, 
we do know it was due in part to the 
refinement and correction of estimation 
practices employed by some agencies. 
Other possible contributing factors 
could be the recent emphasis on proper 
classification procedures coming from 
the expanded agency self-inspection 
requirements, the inspector-general 
reviews conducted in response to the 
Reducing Over-Classification Act, 
and the Fundamental Classification 



Guidance Reviews that all agencies con- 
ducted in 2012. 

Classification Challenges 

Authorized holders of informa- 
tion who, in good faith, believe its 
classification status is improper are 
encouraged and expected to challenge 
the classification status of that infor- 
mation. Classification challenges are 
handled both informally and formally, 
and provide individual holders the 
responsibility to question the appro- 
priateness of the classification of 
information. Classification challenges 
provide a mechanism to promote 
sound classification decisions. 

Agencies reported 68 formal challenges 
in FY 2013; 41 (60.3 percent) were fully 
affirmed at their current classification 
status with 12 (17.6 percent) being 
overturned either in whole or in part. 
Fifteen challenges remain open. 
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Derivative Classification Activity, FY 2013 
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'Declassification 



Background 

D eclassification is defined 
as the authorized change 
in status of information from 
classified to unclassified and is 
an integral part of the security 
classification system. There are four 
declassification programs within 
the executive branch: automatic 
declassification, systematic 
declassification review, discretionary 
declassification review, and 
mandatory declassification review. 

Automatic declassification removes 
the classification of information 
at the close of every calendar year 
when that information reaches the 
25-year threshold. 

Systematic declassification review is 
required for those records exempted 
from automatic declassification. 

Discretionary declassification review 
is conducted when the public interest 
in disclosure outweighs the need for 
continued classification, or when the 
agency feels the information no longer 
requires protection and can be declas- 
sified earlier. 

Mandatory declassification review 
provides direct, specific review for 
declassification of information when 
requested by the public. 

Since 1996, statistics reported for 
systematic declassification review 
and automatic declassification were 
combined because the execution 
of both programs is usually indis- 
tinguishable. In FY 2010, however, 
agencies began to report automatic, 
systematic, and discretionary 
declassification numbers separately. 
Together, these four programs are 
essential to the viability of the 
classification system and vital to an 
open government. 



Automatic, Systematic, 
and Discretionary 
Declassification Review 

During FY 2013, a total of 59.33 
million pages were reviewed under 
the automatic, systematic, and dis- 
cretionary declassification programs 
and 27.52 million pages (46 percent) 
were declassified*. This is a 2 percent 
increase in the scale of declassification 
from FY 2012, when 44.92 million 
pages were reviewed and 19.85 million 
pages (44 percent) were declassified. 
While the percentage of pages declas- 
sified is just a small increase, the 
number of pages reviewed increased 
by over 14 million, while the number 
of pages declassified increased by 
almost 8 million over last year. 

Under automatic declassification 
review, agencies reviewed 52.47 
million pages and declassified 25.77 
million pages (49 percent). Under 
systematic declassification review, 
agencies reviewed 6.52 million pages 
and declassified 1.70 million pages (26 
percent). Under discretionary declas- 
sification review, agencies reviewed 
346,351 pages and declassified 55,671 
pages (16 percent). 

As a note of explanation, in the follow- 
ing four charts it can be seen that some 
agencies have a low rate of pages declas- 
sified compared to the total number 
of pages reviewed. In many cases, this 
is because the bulk of the information 
in these pages contained equities from 
other agencies and therefore had to be 
referred to those agencies. 

*This data does not include the 
status of documents processed by the 
National Declassification Center. 
Information about that program can 
be found at http://www.archives.gov/ 
declassification/ndc/releases.html 



During FY 2013, 
a total of 59.33 
million pages were 
reviewed under the 
automatic, systematic, 
and discretionary 
declassification 
programs and 
27.52 million pages 
(46 percent) were 
declassified. 
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AGENCY 



Number of Pages Reviewed and Declassified 
for Automatic Declassification, FY 2013 



DoD* 
CIA 
Navy 
Army 
Air Force 
State 
DOE 
DOJ 
ODNI 
NASA 
DHS 
NARA 
HHS 
0PM 
Commerce 




4 , 475,416 



8 , 142,735 



1 , 650,169 




0 5,000,000 10,000,000 15,000,000 20,000,000 

PAGES 



* DoD numbers do not include Air Force, Army, and Navy. 
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AGENCY 



Number of Pages Reviewed 
and Declassified for Systematic 
Declassification, FY 2013 



Air Force 
DOJ 
DoD* 
NARA 
EOP 
USAID 
Army 
DOE 




1,289,775 



240,498 



1,224,352 



184,440 

262,770 



127,683 

166,212 




Pages Reviewed 
Pages Declassified 

TOTAL: 

6,515,055 Pages Reviewed 
1,697,472 Pages Declassified 



1 1 1 1 1 1 1 
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k DoD numbers do not include Air Force, Army, and Navy. 



Number of Pages Reviewed and 
Declassified for Discretionary 
Declassification, FY 2013 
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Total Number of Pages Reviewed and Declassified*, FY 1980 - FY 2013 
(Automatic, Systematic, and Discretionary Declassification Reviews) 



1.24 Billion 
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Mandatory 

Declassification Review 

The mandatory declassification review 
(MDR) process requires a review of 
specific classified national security 
information in response to a request 
seeking its declassification. The public 
must make MDR requests in writing 
and each request must contain suffi- 
cient specificity describing the record 
to allow an agency to locate the record 
with a reasonable amount of effort. 
MDR remains popular with some 
researchers as a less litigious alterna- 
tive to requests under the Freedom of 
Information Act (FOIA), as amended. 
It is also used to seek the declassifica- 
tion of Presidential papers or records 
not subject to FOIA. 

In FY 2012, ISOO implemented a new 
reporting requirement to measure 
the response time for MDR requests. 
Agencies now report the average 
number of days it takes for them to 
close MDR requests. Agencies and 
ISOO can more clearly understand 
how agencies are executing their MDR 
programs successfully by comparing 
average response times, data previ- 
ously not studied. Agency response 
times will be analyzed to see trends 
within an agency’s program and 
across agencies of comparable size. We 
believe this method presents a clearer 
picture of the MDR response situation 
at an agency than the previous report- 
ing method of measuring the number 
of cases outstanding from the previous 
fiscal year, the number of new cases 
requested, and the number of cases to 
be carried into the new fiscal year. 

MDR Activity, FY 2013 

The FY 2013 data specify the num- 
ber of requests and appeals received, 
the number that remain unresolved 
for over one year, and the average 



number of days it takes to resolve 
each request and appeal. The report 
also displays the number of referred 
MDR requests and appeals to more 
accurately reflect the MDR workload 
of agencies. The number of referred 
MDR requests and appeals are not 
included in the statistical calculations 
to prevent duplicate counts. 

During FY 2013, there was a substan- 
tial increase in the number of pages 
reviewed for both MDR requests and 
appeals. Last year, there were 372,354 
pages reviewed in 7,589 requests. This 
year, there were a total of 1,122,502 
pages reviewed in the 9,521 requests 
received; an increase of 1,932 in 
requests received and an increase of 
750,148 in pages reviewed. The per- 
centage of pages declassified in their 
entirety also continues to increase 
from 58.4 percent in FY 2012 to 84 



percent in FY 2013. This in no way 
indicates that the original classifica- 
tion decisions were incorrect; just that 
as times change, so does the sensitiv- 
ity of the information. The fact that a 
higher percentage of pages are being 
declassified shows the careful consid- 
eration agency personnel are giving 
to the documents being reviewed. The 
percentage of pages denied declassifi- 
cation decreased from 18.3 percent in 
FY 2012 to just 3 percent in FY 2013. 

There was also an increase in the 
numbers of MDR appeals, 10,920 pages 
in 368 appeals in FY 2012 compared to 
33,390 pages in 440 appeals in FY 2013. 
The percentage of pages declassified on 
appeal increased from 29.1 percent last 
year to 79 percent this year. The per- 
centage of pages denied declassification 
decreased from 39.4 percent in FY 2012 
to just 8 percent in FY 2013. 



Mandatory Declassification Review 
Program Activity, FY 2012 - FY 2013 



Requests 


2012 


2013 


Requests Received 


7,589 


9,521 


Requests Closed 


6,533 


6,477 


Requests Unresolved for Over One Year 


6,666 


8,749 


Average Number Days to Resolve Each Request 


228 


175 


Appeals 


2012 


2013 


Appeals Received 


368 


440 


Appeals Closed 


321 


311 


Appeals Unresolved for Over One Year 


233 


326 


Average Number Days to Resolve Each Appeal 


240 


186 


Referred 


2012 


2013 


Referred Requests Received* 


10,001 


12,051 


Referred Appeals Received* 


212 


211 



* MDR requests and appeals referred to an agency from another agency that is 
responsible for the final release of the request/appeal. 
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Disposition of MDR Requests, FY 2013 



Denied: 
28,610 pages 

▲2 

Declassified 
in Part: 

150,857 pages 




Declassified 
in their Entirety: 
943,035 pages 



TOTAL: 1,122,502 pages 



Disposition of MDR Requests 
FY 1996 - FY 2013 

Denied: 



3,593,759 pages 



Disposition of MDR Appeals, FY 2013 




Denied: 
2,664 pages 



Declassified 
in Part: 
4,483 pages 




Declassified 
in their Entirety: 
26,243 pages 



TOTAL: 5,422,333 pages 



Disposition of MDR Appeals 
FY 1996 - FY 2013 



TOTAL: 33,390 pages 



Denied: 
35,630 pages 



30 . 04 % 



Declassified 
in Part: 
39,729 pages 




TOTAL: 118,600 pages 



Declassified 
in their Entirety: 
43,241 pages 
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' 'Reviews 



Declassification 

Assessments 

I n FY 2013, ISOO conducted 
declassification proficiency 
assessments of five agencies using an 
updated assessment plan and a revised 
scoring methodology. ISOO concluded 
its initial five-year assessment period 
in FY 2012 and accomplished its 
strategic goal of improving the quality 
of agency automatic declassification 
review programs. 

Starting in FY 2013, ISOO modified its 
declassification assessment program to 
monitor agencies’ steady-state perfor- 
mance. Under this approach, ISOO 
will monitor agency automatic declas- 
sification review programs and ensure 
that they maintain “high scores.” 

ISOO designed the updated program 
to balance use of ISOO and agency 
resources with the need to monitor 
agency automatic declassification 
review proficiency. Before implement- 
ing changes to this program, ISOO 
met with officials from the National 
Declassification Center and agencies 
and conducted a detailed survey with 
stakeholders, asking for input into 
changes to improve the program. 

The revised approach includes sig- 
nificant changes based on feedback 
from agencies and stakeholders. These 
changes include the establishment of a 
four-year review cycle, the revision of 
the assessment criteria and scoring tool, 
and the shift from a three-tiered scoring 
system to a two-tiered system. ISOO 
also changed its policy from bi-annual 
data requests to a single annual request 
and ISOO will base any on-site assess- 
ment on records the agency reviewed in 
the previous 12 months. 

On an annual basis, ISOO will assess 
at least 25 percent of agencies report- 
ing that they reviewed a significant 
volume of records for automatic 



declassification. Beginning in FY 2013, 
ISOO will assess agencies identified as 
having a significant automatic declas- 
sification review program at least once 
during the four-year period. 

In this revised approach, ISOO issues 
a data request each February, ask- 
ing agencies to provide information 
on records reviewed for automatic 
declassification between April 1 of 
the previous year and March 31 of 
the current year. It allows agencies 
to compile data and respond by the 
middle of May. After evaluating the 
responses, ISOO selects five or six 
agencies and conducts assessments of 
their programs. 

ISOO also revised the scoring criteria 
for FY 2013-2016 to reflect stakeholder 
input and results from the assessments 
themselves. ISOO still focuses the 
assessments on three major areas of 
concern — missed equities, improper 
exemptions, and improper referrals. 

» Missed equities indicate instances 
of a declassification review not 
identifying for referral the secu- 
rity classification interest of one 
agency found in the record of 
another agency; 

» Improper exemptions indicate 
instances of a declassification review 
resulting in the attempt to exempt a 
record from automatic declassifica- 
tion under an exemption category 
not permitted by that agency’s 
declassification guide as approved 
by the Interagency Security 
Classification Appeals Panel; 

» Improper referrals indicate 
instances of a declassification 
review resulting in the referral of 
records to agencies lacking the 
authority to exempt information 
from declassification or waiving 
their interest in declassification. 



ISOO declassification assessments 
factored the occurrence and extent of 
any of these three issues into the over- 
all agency score for the assessment. In 
addition to these three main cate- 
gories, ISOO also examined records 
to observe the extent that agency 
declassification policies are in com- 
pliance with ISOO regulations and 
are in place to best assist the National 
Declassification Center when it pro- 
cesses the records for public access. 
These policies include the full and 
appropriate use of the Standard Form 
(SF) 715, “Declassification Review 
Tab;” the appropriate age of the 
records reviewed (between 20-25 years 
of age); the use of box summary sheets; 
the use of appropriate record-keeping 
practices, including documenting 
completion of Kyl-Lott reviews; and 
the absence of unexplained multiple 
declassification reviews. 

ISOO conducted on-site assessments 
of five agencies in FY 2013: the Federal 
Bureau of Investigation, the Joint Staff, 
the National Archives and Records 
Administration, the Department 
of State, and the U.S. Agency for 
International Development. All five 
agencies scored “high.” While agencies 
improved the quality of agency auto- 
matic declassification reviews since FY 
2008 when ISOO began this oversight 
program, ISOO continues to identify 
isolated instances of missed equities 
and improper referrals. In FY 2013, 
ISOO documented three instances of 
missed equities and two instances of 
improper referrals. Additionally, ISOO 
continues to note positive progress in 
policy and program implementation. 
In FY 2013, ISOO found that all agen- 
cies used box summary sheets and 
had effective record-keeping practices 
to document their review decisions. 
ISOO noted that, with only a single 
exception, agencies fully and appropri- 
ately used the SF 715. These practices 
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facilitate the processing of referrals at 
the National Declassification Center. 

In FY 2014, ISOO will continue to 
conduct annual declassification assess- 
ments of at least five agencies. It will 
continue to provide agency-specific 
training and issue notices to agencies 
in order to provide specific guidance 
on areas of concern. 



Declassification Assessment 
Results, FY 2013 



Agency 


Result 


Federal Bureau 
of Investigation 


100 


Department of State 


90 


National Archives and 
Records Administration 


90 


U.S. Agency for Interna- 
tional Development 


90 


Joint Staff 


85 



Declassification Assessment 
Results, FY 2008 - FY 2013 



Fiscal 

Year 


Number 

of 

Agencies 


Average 

Score 


2008 


22 


79 


2009 


19 


84 


2010 


15 


90 


2011 


15 


94 


2012 


16 


97 


2013 


5 


91 



Self-Inspections 

E.O. 13526 requires agencies to 
establish and maintain ongoing 
self-inspection programs and report 
to the Director of ISOO on those 
programs each year. Self-inspections 
evaluate the effectiveness of agency 



programs covering original clas- 
sification, derivative classification, 
declassification, safeguarding, secu- 
rity violations, security education 
and training, and management and 
oversight. In addition, self-inspections 
include regular reviews of representa- 
tive samples of agencies’ original and 
derivative classification actions; these 
samples must encompass all agency 
activities that generate classified 
information; and appropriate agency 
officials must be authorized to correct 
misclassification actions. 

In order for senior agency officials 
(SAO) to fulfill their responsibilities 
under E.O. 13526, agency self-inspec- 
tion programs must be structured 
to provide the SAOs information 
to assess the effectiveness of each 
agency’s classified national security 
information (CNSI) program. Effective 
self-inspection programs generally 
correlate to effective CNSI programs. 
Agencies without self-inspection 
programs or with weak self-inspection 
programs fail to utilize an import- 
ant tool for self-evaluation and are 
at greater risk of having unidentified 
deficiencies in their CNSI programs. 

The implementing directive for E.O. 
13526, 32 CFR Part 2001, requires 
that the agency self- inspection 
reports include: (1) a description of 
the agency’s self-inspection program 
that provides an account of activities 
assessed, program areas covered, and 
methodology utilized; and (2) infor- 
mation gathered through the agency’s 
self-inspection program, which must 
include a summary and assessment of 
the findings from the self-inspection 
program, specific information from 
the review of the agency’s original 
and derivative classification actions; 
actions taken or planned to correct 
deficiencies; and best practices identi- 
fied during self-inspections. To ensure 
that agencies cover key requirements 
of the Order, the reports must also 



answer questions relating to areas such 
as training, performance evaluations, 
and classification challenges. 

In the first two years of descriptive 
self-inspection reporting required 
under E.O. 13526, a large per- 
centage of the agencies submitted 
reports that failed to cover many 
of the required elements. In 2012, 
only about 10 percent provided 
responses addressing all or nearly all 
of the required areas. In an effort to 
improve upon this, ISOO created a 
self-inspection reporting form and 
required agencies to submit their 
responses on it. In 2013, using the 
new form, nearly 80 percent of the 
agencies submitted reports that cov- 
ered all or nearly all of the required 
areas. The greatest improvement in 
responsiveness was to the questions 
relating to key requirements of the 
Order and in providing data from 
the review of classification actions. 
While further improvement in the 
quality of reports is needed at some 
agencies, ISOO is encouraged by the 
progress from last year. 

Agencies reported on the 
percentage of personnel who meet 
requirements of E.O. 13526 and 32 
CFR Part 2001 relating to training 
and performance evaluations: 

» Initial Training. All cleared agency 
personnel are required to receive 
initial training on basic security 
policies, principles, practices, and 
criminal, civil, and administrative 
penalties. (32 CFR 2001.70(b)) 

• 86.96 percent of the agen- 
cies reported that 100 
percent of their cleared per- 
sonnel received this training. 

» Refresher Training. Persons who 
apply derivative classification mark- 
ings are required to receive training 
in the proper application of the deriv- 
ative classification principles of E.O. 
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13526, prior to derivatively classifying 
information and at least once every 
two years thereafter. (E.O. 13526, Sec. 
2.1(d) and 32 CFR 2001.70(d)) 

• 47.83 percent of the agen- 
cies reported that 100 
percent of their cleared per- 
sonnel received this training. 

» Original Classification Authority 
(OCA) Training. OCAs are required 
to receive training in proper clas- 
sification and declassification each 
calendar year. (E.O. 13526, Sec. 

1.3(d) and 32 CFR 2001.70(c)) 

• 54.55 percent of the agencies 
reported that 100 percent of their 
OCAs received this training. 

» Derivative Classifier Training. 

Persons who apply derivative clas- 
sification markings are required to 
receive training in the proper appli- 
cation of the derivative classification 
principles of E.O. 13526, prior to 
derivatively classifying information 
and at least once every two years 
thereafter. (E.O. 13526, Sec. 2.1(d) 
and 32 CFR 2001.70(d)) 

• 61.11 percent of the agen- 
cies reported that 100 percent 
of their derivative classifiers 
received this training. 

» Performance Element. The per- 
formance contract or other rating 
system of original classification 
authorities, security managers, 
and other personnel whose duties 
significantly involve the creation or 
handling of classified information 
must include a critical element to 
be evaluated relating to designation 
and management of classified infor- 
mation. (E.O. 13526, Sec. 5.4(d)(7)) 

• 30.43 percent of the agencies report 
that 100 percent of the required 
personnel have this element. 

In addition, agencies reported on 
whether they meet the requirements of 



E.O. 13526 that relate to the limiting of 
OCA delegations and the establishment 
of classification challenge procedures: 

» OCA Delegations. Delegations of 
original classification authority shall 
be limited to the minimum required 
to administer E.O. 13526. Agency 
heads are responsible for ensuring 
that designated subordinate officials 
have a demonstrable and continuing 
need to exercise this authority. (E.O. 
13526, Sec. 1.3(c)(1)) 

• 85.0 percent of the agencies with 
OCA reported that delegations are 
limited as required. 

» Classification Challenge 
Procedures. An agency head or 
SAO shall establish procedures 
under which authorized holders of 
information, including authorized 
holders outside the classify- 
ing agency, are encouraged and 
expected to challenge the classi- 
fication of information that they 
believe is improperly classified or 
unclassified. (E.O. 13526, 

Sec. 1.8(b)) 

• 71.74 percent of the agencies 
reported that they have established 
classification challenge procedures. 

Agencies also reported with regard to 
the application of marking require- 
ments that were new when E.O. 13526 
was issued in 2009: 

» Identification of Derivative 
Classifiers. Derivative classifiers 
must be identified by name and posi- 
tion, or by personal identifier on each 
classified document. (E.O. 13526, Sec. 
2.1(b)(1) and 32 CFR 2001.22(b)) 

• A total of 35,503 documents were 
reviewed to evaluate the applica- 
tion of this requirement. 

• Agencies reported that 73.36 
percent of the documents meet 
this requirement. 



» Listing of Multiple Sources. A list 
of sources must be included on or 
attached to each derivatively clas- 
sified document that is classified 
based on more than one source 
document or classification guide. 
(32 CFR 2001. 22(c)(1)(h)) 

• A total of 30,035 documents 
were reviewed to evaluate the 
application of this requirement. 

• Agencies reported that 74.84 
percent of the documents meet 
this requirement. 

Clearly, many agencies must make 
improvements in fundamental 
elements of the program under 
E.O. 13526 and 32 CFR Part 2001. 
Many of the above requirements 
were already in existence when 
E.O. 13526 was issued in 2009. 
Those that were established by E.O. 
13526 are no longer new. Agencies 
have had many opportunities to 
familiarize themselves with these 
requirements, including briefings 
held by ISOO after E.O. 13526 was 
issued, ISOO notices and training 
materials covering some of these 
requirements, and interactions 
between agency personnel and 
ISOO liaisons. ISOO will advise 
agencies of these shortfalls and of 
the importance of meeting these 
requirements, but agencies that 
have reported deficiencies should 
already recognize that they must 
take corrective actions. Agencies 
must use their self-inspections to 
evaluate and improve their classi- 
fied national security information 
program. ISOO will continue to 
use the self-inspection reporting 
requirements to prompt agencies to 
do this and to bring their attention 
to the requirements of E.O. 13526 
and 32 CFR Part 2001. 
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Interagency Security Classification appeals 'Panel 



Mandatory 

Declassification Review 
(MDR) Appeals 

D uring FY 2013, the Panel continued 
to allocate a significant portion 
of its time and resources to processing 
MDR appeals. Appellants properly 
filed MDR appeals with the Panel in 
accordance with E.O. 13526 and the 
Panel’s bylaws, 32 CFR Part 2003. The 
Panel decided upon 46 MDR appeals, 
containing a total of 151 documents. 

The documents within these MDR 
appeals were classified either in 
part or in their entirety. The Panel 
affirmed the prior agency classification 
decisions in 20 documents (13.25 
percent), declassified 55 documents 
(36.42 percent) in their entirety, and 
declassified 76 documents (50.33 
percent) in part. 

Since May 1996, the Panel has acted on 
a total of 1,509 documents. Of these, 
the Panel declassified additional infor- 
mation in 70 percent of the documents. 
Specifically, the Panel declassified 
409 documents (27 percent) in their 
entirety, declassified 640 documents (42 
percent) in part, and fully affirmed the 
declassification decisions of agencies in 
460 documents (31 percent). 

Classification Challenge 
Appeals 

During FY 2013, the Panel adjudicated 
two classification challenge appeals 
filed by authorized holders of classified 
information, as provided for in section 
1.8 of the Order. In each of these appeals, 
the ISCAP affirmed the classifying 
agency’s original determination. 

Exemptions from 
Declassification 

Section 3.3 (h) of the Order required 
significant revisions to agency 



exemptions to automatic declassifica- 
tion by the end of December 2012. In 
early 2011, the ISCAP Staff informed 
agency declassification offices of the 
need to identify specific information 
for exemption from automatic declas- 
sification at 25 years. Additionally, 
agencies needed to identify any 
extraordinary cases where information 
should be exempted from automatic 
declassification at 50 and 75 years. 
Agencies submitted their declassifica- 
tion guides to the Panel by December 
31, 2011, and the Panel began the 
review, amendment, and approval 
process for 23 guides in January 2012. 
Throughout FY 2012 and FY 2013, the 
Panel approved 23 guides. In FY 2013, 
ISOO published the results of the 
declassification guide approval process 
as ISOO Notice 2013-02, listing those 
agencies eligible to exempt informa- 
tion at 25, 50, and 75 years. 

ISCAP Decisions 
Website 

In September 2012, the ISCAP Staff 
created a new website displaying 
electronic versions of documents the 
Panel recently declassified for public 
use. Section 5.3(b)(4) of the Order 
requires that the Panel “appropriately 
inform senior agency officials and 
the public of final Panel decisions on 
appeals under sections 1.8 and 3.5 
of this order.” This requirement is 
important for two reasons. First, the 
Panel adjudicates classification chal- 
lenges and mandatory declassification 
review appeals that may be of histor- 
ical interest to the public, not just the 
appellants. Second, section 3.1(i) of 
the Order states that, “When making 
decisions under sections 3.3, 3.4, and 
3.5 of this order, agencies shall con- 
sider the final decisions of the Panel.” 
Distribution of electronic versions of 
declassified documents on a publicly 
available website is the most efficient 



way for the Panel to provide senior 
agency officials (and agency declassi- 
fication staffs) and the public with its 
decisions and fulfill this requirement. 
The Panel will supplement and refine 
the website as the Panel and agen- 
cies declassify and release additional 
information. Refinements in FY 2013 
included the development of a search 
capability for Panel releases and the 
posting of decisions at the document, 
rather than appeal, level. 

Background 

The President created the Panel by 
executive order in 1995 to perform 
the functions noted above. The 
Panel first met in May 1996. The 
permanent membership is com- 
prised of senior-level representatives 
appointed by the Secretaries of State 
and Defense, the Attorney General, 
the Director of National Intelligence, 
the Archivist of the United States, 
and the Assistant to the President 
for National Security Affairs. The 
President selects the Chairperson. 

The Director of the Information 
Security Oversight Office serves as its 
Executive Secretary. ISOO provides 
staff support to Panel operations. 

Authority 

Section 5.3 of Executive Order 
13526, “Classified National Security 
Information.” 

Functions 

Section 5.3(b) 

(1) To decide on appeals by persons 
who have filed classification 
challenges under section 1.8 of 
E.O. 13526. 

(2) To approve, deny, or amend 
agency exemptions from auto- 
matic declassification as provided 
in section 3.3 of E.O. 13526. 
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(3) To decide on appeals by persons 
or entities who have filed requests 
for mandatory declassification 
review (MDR) under section 3.5 
of E.O. 13526. 

(4) To appropriately inform senior 
agency officials and the public 
of final Interagency Security 
Classification Appeals Panel (the 
Panel) decisions on appeals under 
sections 1.8 and 3.5 of E.O. 13526. 

Members* 

John W. Ficklin 

National Security Council Staff 

Michael Higgins 

Department of Defense 

Mark A. Bradley 

Department of Justice 



Margaret P. Grafeld 
Department of State 

Sheryl J. Shenberger 
National Archives and Records 
Administration 

Corin Stone 

Office of the Director of National 
Intelligence 

Executive Secretary 

John P. Fitzpatrick, Director 

Information Security Oversight Office 

Note: Section 5.3(a)(2) of E.O. 13526 
provides for the appointment of a 
temporary representative to the Panel 
from the Central Intelligence Agency 
(CIA) to participate as a voting mem- 
ber in all deliberations and support 
activities that concern classified 



information originated by the CIA. 
That temporary representative from 
the CIA is Joseph W. Lambert. 

*Note: The individuals named in this 
section were in these positions as of the 
end ofFY 2013. 

Support Staff 

Information Security Oversight Office 

For questions regarding the ISCAP, 
please contact the ISCAP’s support staff: 

Telephone: 202.357.5250 
Fax: 202.357.5908 
E-mail: iscap@nara.gov 

You can find additional information, 
including declassified and released 
documents, on the ISCAP website at 
http ://www. archives .gov/ 
declassification/iscap 
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Number of Appeals Received 
by ISCAP, FY 2004 - FY 2013 



ISCAP Decisions, FY 2013 




FISCAL YEAR 



Affirmed 
Classification: 
20 documents 




Declassified 
in their Entirety: 
55 documents 



50 . 33 % 




Declassified 
in Part: 

76 documents 



TOTAL: 151 documents 



ISCAP Decisions, 

May 1996 - September 2013 



Affirmed 
Classification: 
460 documents 



30 . 48 % 




Declassified 
in their Entirety: 
409 documents 



Declassified 
in Part: 

640 documents 



TOTAL: 1,509 documents 
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Cost Estimates for Security Classification J 'Activities 



Background and 
Methodology 

ISOO reports annually to the 
President on the estimated costs asso- 
ciated with agencies’ implementation 
of E.O. 13526, “Classified National 
Security Information,” and E.O. 12829, 
as amended, “National Industrial 
Security Program.” 

ISOO relies on the agencies to esti- 
mate and report the costs of the 
security classification system. The 
collection methodology used in this 
report has consistently provided a 
good indication of the trends in total 
cost. It is important to note that even 
if reporting agencies had no security 
classification activity, many of their 
reported expenditures would continue 
in order to address other, overlapping 
security requirements, such as work 
force, facility and information systems 
protection, mission assurance opera- 
tions and similar needs. 

The Government data presented in 
this report were collected by catego- 
ries based on common definitions 
developed by an executive branch 
working group. The categories are 
defined below: 

Personnel Security: A series of 
interlocking and mutually support- 
ing program elements that initially 
establish a Government or contrac- 
tor employee’s eligibility and ensure 
suitability for the continued access to 
classified information. 

Physical Security: That portion 
of security concerned with physical 
measures designed to safeguard and 
protect classified facilities and infor- 
mation, domestic, or foreign. 



Classification Management: 

The system of administrative poli- 
cies and procedures for identifying, 
controlling, and protecting classi- 
fied information from unauthorized 
disclosure, the protection of which 
is authorized by executive order or 
statute. Classification Management 
encompasses those resources used to 
identify, control, transfer, transmit, 
retrieve, inventory, archive, or destroy 
classified information. 

Declassification: The authorized 
change in the status of information 
from classified information to unclas- 
sified information. It encompasses 
those resources used to identify and 
process information subject to the 
automatic, systematic, and mandatory 
review programs established by E.O. 
13526, as well as discretionary declas- 
sification activities and declassification 
activities required by statute. 

Protection and Maintenance 
for Classified Information 
Systems: An information system 
is a set of information resources 
organized for the collection, stor- 
age, processing, maintenance, use, 
sharing, dissemination, disposition, 
display, or transmission of informa- 
tion. Security of these systems involves 
the protection of information systems 
against unauthorized access to or 
modification of information, whether 
in storage, processing, or transit; and 
against the denial of service to autho- 
rized users, including those measures 
necessary to detect, document, and 
counter such threats. It can include, 
but is not limited to, the provision of 
all security features needed to provide 
an accredited system of computer 
hardware and software for protection 



of classified information, material, or 
processes in automated systems. 

Operations Security (OPSEC) 
and Technical Surveillance 
Countermeasures (TSCM) 

OPSEC: Systematic and proven 
process by which potential 
adversaries can be denied 
information about capabilities 
and intentions by identifying, 
controlling, and protecting 
generally unclassified evidence 
of the planning and execution of 
sensitive activities. The process 
involves five steps: identification 
of critical information, 
analysis of threats, analysis of 
vulnerabilities, assessment of risks, 
and application of appropriate 
countermeasures. 

TSCM : Personnel and operating 
expenses associated with the 
development, training and 
application of technical security 
countermeasures such as non-de- 
structive and destructive searches, 
electromagnetic energy searches, 
and telephone system searches. 

Professional Education, 
Training, and Awareness: The 
establishment, maintenance, direction, 
support, and assessment of a security 
training and awareness program; 
the certification and approval of the 
training program; the development, 
management, and maintenance of 
training records; the training of 
personnel to perform tasks associated 
with their duties; and qualification 
and/or certification of personnel before 
assignment of security responsibilities 
related to classified information. 
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Security Management, 
Oversight, and Planning: 
Development and implementation 
of plans, procedures, and actions 
to accomplish policy requirements, 
develop budget and resource require- 
ments, oversee organizational activities, 
and respond to management requests 
related to classified information. 

Unique Items: Those department 
specific or agency specific activities 
that are not reported in any of the pri- 
mary categories, but are nonetheless 
significant and need to be included. 

Results— 

Government Only 

The total security classification cost 
estimate within Government for FY 
2013 is $11.63 billion. For the first 
time, we have included in this top- 
line figure the cost estimates of the 
Intelligence Community (IC)*, which 
total 1.87 billion. So that a comparison 
to prior year reports can be made, the 
total of all of government minus the 
IC is $9.76 billion, a decrease of $9.9 
million, or .1 percent, from FY 2012. 
The IC costs comprise 16 percent of 
the total Government costs, an order 
of magnitude roughly equivalent to 
that of past years when the IC cost 
estimates were reported but not dis- 
closed in the top-line figure. 

For FY 2013, agencies reported $1.52 
billion in estimated costs associated 
with Personnel Security, an increase 
of $139.39 million, or 10 percent. The 
majority of this increase is attributed 
to an increased number of periodic 
security clearance reinvestigations. 

Estimated costs associated with Physical 
Security were $2.31 billion, an increase 

*7he IC elements include the Central 
Intelligence Agency, the Defense 
Intelligence Agency, the Office of the 
Director of National Intelligence, the 
National Geospatial-Intelligence Agency, 
the National Reconnaissance Office, and 
the National Security Agency 



of $617 million, or 36 percent. Increased 
costs were due primarily to purchase 
and installation of security equipment 
and construction of secure facilities. 

Estimated costs associated with 
Classification Management were 
$353.98 million, an increase of $26.38 
million, or 8 percent. 

Estimated costs associated with 
Declassification were $99.77 million, an 
increase of $51.11 million, or 105 percent. 
This is due to an increase in declassifica- 
tion activity in numerous agencies. 

Estimated costs associated with 
Protection and Maintenance for 
Classified Information Systems were 
$4.40 billion, an increase of $368.49 
million, or 9 percent. 



Estimated costs associated with OPSEC 
and TSCM were $176.84 million, 
an increase of $52.38 million, or 42 
percent. The increase is due to the 
establishment of a new TSCM program. 

The estimated costs for Professional 
Education, Training, and Awareness 
were $587.61 million, an increase of 
$157.33 million, or 37 percent. 

Estimated costs associated 
with Security Management, 

Oversight, and Planning were 
$2.17 billion, an increase of 
$442.70 million, or 26 percent. 

Estimated costs associated with 
Unique Items were $13.67 million, an 
increase of $165,401, or 1 percent. 



Government Security Classification Costs, FY 2013 



OPSEC & TSCM 
$ 176 , 838,624 



Classification Management 
$ 353 , 975,161 

Professional Education, 

Training, and Awareness 
$ 587 , 613,808 



Declassification 

$ 99 , 765,802 



Unique Items 
$ 13 , 673,505 




Security Management, 
Oversight, and Planning 
$ 2 , 171 , 455,612 




TOTAL: $ 11 , 626 , 313,695 

Note: Includes cost estimates from the Intelligence Community. 
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Government Security Classification Costs, FY 1995 - FY 2013 



Year 


Personnel 

Security 


Physical 

Security 


Classification 

Management 


Declassification* 


Protection & 
Maintenance 
for Classified 
Information 
Systems 


Professional 
Education, 
OPSEC & Training, & 
TSCM+ Awareness 


Security 
Management, 
Oversight, & 
Planning 


Unique 

Items 


TOTAL 


1995 


$633 

million 


$175 

million 


$312 

million 


— 


$1.2 

billion 


— 


$67 

million 


$257 

million 


$6.4 

million 


$2.7 

billion 


1996 


$479 

million 


$308 

million 


$325 

million 


— 


$1.2 

billion 


— 


$72 

million 


$343 

million 


$5.6 

million 


$2.7 

billion 


1997 


$390 

million 


$345 

million 


$429 

million 


— 


$1.79 

billion 


— 


$78 

million 


$399 

million 


$4.2 

million 


$3.4 

billion 


1998 


$398 

million 


$386 

million 


$212.96 

million 


$199.65 

million 


$1.82 

billion 


— 


$93 

million 


$487 

million 


$5.7 

million 


$3.6 

billion 


1999 


$426 

million 


$410 

million 


$219 

million 


$233.18 

million 


$1.91 

billion 


— 


$97 

million 


$480 

million 


$0.8 

million 


$3.77 

billion 


2000 


$426 

million 


$272 

million 


$212.75 

million 


$230.90 

million 


$2.55 

billion 


— 


$112 

million 


$439 

million 


$25 

million 


$4.27 

billion 


2001 


$859 

million 


$217 

million 


$221.30 

million 


$231.88 

million 


$2.50 

billion 


— 


$106 

million 


$539 

million 


$25 

million 


$4.7 

billion 


2002 


$941 

million 


$367 

million 


$236.97 

million 


$112.96 

million 


$3.12 

billion 


— 


$134 

million 


$742 

million 


$26 

million 


$5.68 

billion 


2003 


$950 

million 


$536 

million 


$264.66 

million 


$53.77 

million 


$3.66 

billion 


$15.01 

million 


$158 

million 


$858 

million 


$27.7 

million 


$6.52 

billion 


2004 


$941 

million 


$691 

million 


$323.87 

million 


$48.26 

million 


$3.90 

billion 


$12.22 

million 


$178 

million 


$1.15 

billion 


$6.4 

million 


$7.25 

billion 


2005 


$1.15 

billion 


$1.04 

billion 


$309.93 

million 


$56.83 

million 


$3.64 

billion 


$33.64 

million 


$219 

million 


$1.21 

billion 


$6.6 

million 


$7.66 

billion 


2006 


$1.11 

billion 


$1.06 

billion 


$312.90 

million 


$43.99 

million 


$4.02 

billion 


$88.42 

million 


$237 

million 


$1.36 

billion 


$7.3 

million 


$8.24 

billion 


2007 


$1.10 

billion 


$1.37 

billion 


$323.50 

million 


$44.59 

million 


$4,18 

billion 


$85.57 

million 


$211 

million 


$1.33 

billion 


$7.9 

million 


$8.65 

billion 


2008 


$1.10 

billion 


$1.29 

billion 


$333.71 

million 


$42.73 

million 


$4.34 

billion 


$90.15 

million 


$243 

million 


$1.20 

billion 


$8.8 

million 


$8.65 

billion 


2009 


$1.21 

billion 


$1.28 

billion 


$361.17 

million 


$44.65 

million 


$4.26 

billion 


$106.14 

million 


$226 

million 


$1.30 

billion 


$15.7 

million 


$8.80 

billion 


2010 


$1.56 

billion 


$1.43 

billion 


$364.22 

million 


$50.44 

million 


$4.69 

billion 


$106.65 

million 


$400 

million 


$1.54 

billion 


$21.9 

million 


$10.16 

billion 


2011 


$1.40 

billion 


$1.74 

billion 


$352.40 

million 


$52.76 

million 


$5.65 

billion 


$128.97 

million 


$502.51 

million 


$1.53 

billion 


$11.9 

million 


$11.36 

billion 


2012 


$1.38 

billion 


$1.69 

billion 


$327.92 

million 


$48.65 

million 


$4.03 

billion 


$124.46 

million 


$430.28 

million 


$1.73 

billion 


$13.51 

million 


$9.77 

billion 


2013 


$1.52 

billion 


$2.31 

billion 


$353.98 

million 


$99.77 

million 


$4.40 

billion 


$176.84 

million 


$587.61 

million 


$2.17 

billion 


$13.67 

million 


$11.63 

billion 



*Prior to 1998, Declassification costs were included in Classification Management costs. 



+Prior to 2003, OPSEC and TSCM costs were not reported. 
Note: As ofFY 2013, Intelligence Community costs are included. 
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Results=lndustry Only 

To fulfill the cost reporting require- 
ments, a joint DoD and industry group 
developed a cost collection methodol- 
ogy for those costs associated with the 
use and protection of classified infor- 
mation within industry For FY 2013, 
the Defense Security Service collected 
industry cost data and provided the 
estimate to ISOO. 

Cost estimate data are not provided by 
category because industry accounts for 
its costs differently than Government. 
Rather, a sampling method was 
applied that included volunteer com- 
panies from four different categories 
of facilities. The category of facility is 
based on the complexity of security 
requirements that a particular com- 
pany must meet in order to hold and 



perform under a classified contract 
with a Government agency. 

The FY 2013 cost estimate totals for 
industry pertain to the twelve-month 
accounting period for the most recently 
completed fiscal year of the companies 
that were part of the industry sample 
under the National Industrial Security 
Program. The estimate of total security 
classification costs for FY 2013 within 
industry was $1.07 billion; a decrease of 
$126.02 million, or 11 percent. 

Results— Combined 
Government and 
Industry 

This year’s combined estimate for 
Government and industry was $12.70 
billion, an increase of $1.73 billion, or 
16 percent. 



Total Costs for Government and Industry, FY 1995 - FY 2013 




Note: Includes cost estimates from the Intelligence Community. 



22 ■ INFORMATION SECURITY OVERSIGHT OFFICE 



The National Industrial Security Trogram 



I SOO is responsible for implementing 
and overseeing the National 
Industrial Security Program (NISP) 
mandated under E.O. 12829, as 
amended. This oversight responsibility 
is primarily executed through 
the National Industrial Security 
Program Policy Advisory Committee 
(NISPPAC), a Federal Advisory 
Committee organized pursuant to 
section 103 of the NISP executive 
order. Membership of the NISPPAC 
is comprised of both Government 
and industry representatives, and is 
chaired by the Director of ISOO. 

The NISPPAC advises on all matters 
involving the policies of the NISP 
and is responsible for recommending 
changes to industrial security policy, 
specifically E.O. 12829, as amended, 
its implementing directive, 32 CFR 
Part 2004, and the National Industrial 
Security Program Operating Manual 
(NISPOM). The NISPPAC is required 
to convene at least twice a calendar 
year at the discretion of the Director 
of ISOO or the Designated Federal 
Official for the NISPPAC. NISPPAC 
meetings are open to the public and 
administered in accordance with the 
Federal Advisory Committee Act. 

The NISPPAC met three times during 
FY 2013. The major issues discussed 
during these NISPPAC meetings 
included the timeliness of processing 
contactor personnel security clearances, 
the certification and accreditation 
of information systems processing 
classified information, industry imple- 
mentation of national insider threat 
policies, national cyber security initia- 
tives and the revision of the NISPOM 
and 32 CFR Part 2004, NISP Directive 
No.l, to incorporate required changes. 

The NISPPAC convenes several gov- 
ernment/industry working groups to 
address NISPPAC action items and 
issues of mutual interest and concern. 



These permanent and ad-hoc working 
groups enhance the NISPPAC by gath- 
ering empirical data and developing 
process improvements to produce effec- 
tive results for the program as a whole. 
The continuing work of these groups is 
reported at each NISPPAC meeting. 

The Personnel Security Clearance 
working group continues to review 
and analyze a comprehensive set of 
metrics that measure the efficiency 
and effectiveness of security clearance 
processing for industry. The working 
group review includes metric data from 
the Office of Personnel Management 
(OPM), the Office of the Director of 
National Intelligence, the Departments 
of Energy and Defense, and the Nuclear 
Regulatory Commission. The working 
group is an important venue to exam- 
ine performance, discuss opportunities 
to improve, and keep stakeholders 
informed about emerging issues. These 
include upgrades to the OPM’s e-QIP 
system for on-line clearance submittals, 
requirements for electronic fingerprint- 
ing submittals, and potential changes to 
the security clearance process resulting 
from both the Washington Navy Yard 
shooting and the wave of recent unau- 
thorized disclosures. 

Fikewise, the Certification and 
Accreditation (C&A) of information 
systems working group continued its 
review and analysis of the processes 
for approval of contractors, grantees 
and licensees of the Federal Agencies 
to process classified information on 
designated systems. This group contin- 
ues to recommend changes to policies 
and standards and tracks performance 
metrics to monitor the consistency, 
timeliness, and effectiveness of the 
C&A processes. 

The E.O. 13587 working group was 
established to develop and propose 
changes to policy and guidance pur- 
suant to the issuance of E.O. 13587, 



Structural Reforms to Improve the 
Security of Classified Networks and the 
Responsible Sharing and Safeguarding 
of Classified Information. This group 
works to ensure that structural reforms 
mandated in E.O. 13587, as well as the 
National Insider Threat Policy, are fully 
integrated into NISP processes and 
implementation standards for contrac- 
tors, grantees and licensees. 

The issuance of E.O. 13526 created a 
need to revise portions of the NISPOM. 
To maximize the effectiveness of this 
rewrite effort, the NISPPAC working 
with DoD, as the NISP executive agent, 
the Cognizant Security Agencies, 
and other affected agencies, were 
provided an opportunity to review 
and recommend revisions to existing 
guidelines and proposed changes. A 
conforming change to the current 
NISPOM was issued in FY 2013 and a 
comprehensive updated NISPOM will 
be issued in FY 2015. 

The potential impact of the imple- 
mentation of Controlled Unclassified 
Information (CUI) program on the 
NISP contractors, grantees, or licens- 
ees remains an issue of discussion and 
concern by the NISPPAC. The inclusion 
of NISPPAC industry representatives in 
CUI implementation efforts will ensure 
its successful continuity and integration 
into NISP processes and implementa- 
tion standards. 

Finally, during FY 2013, we contin- 
ued our outreach and support to a 
myriad of industrial security entities, 
to include the National Classification 
Management Society, Aerospace 
Industries Association-National 
Defense Intelligence Council, ASIS 
International, and Industrial Security 
Awareness Councils. 

Information on the NISPPAC is 
available on the ISOO website at 
http://www.archives.gov/isoo/ 
oversight-groups/nisppac. 
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Controlled Unclassified Information 



A standardized 
methodology that 
permits maximum 
flexibility in 
application is being 
developed to service 
the widest range of 
both information 
and users. 



Background 

Executive Order 13556, “Controlled 
Unclassified Information,” (the 
Order 1 ) established the Controlled 
Unclassified Information (CUI) 
program to standardize the way the 
Executive branch handles Sensitive 
But Unclassified (SBU) information 
while emphasizing and enhancing the 
openness, transparency, and unifor- 
mity of government-wide practices. 
ISOO manages the CUI program 
and fulfills the Executive Agent (EA) 
responsibilities designated by the 
Order to NARA. 

Following issuance of the Order, the 
EA published baseline requirements 
for agency-specific CUI policies and 
procedures, and Federal agencies 
reviewed their respective SBU infor- 
mation practices and submitted to 
the EA those categories and subcat- 
egories that the agency would like to 
continue to employ. The EA reviewed 
more than 2,200 proposed category 
and subcategory submissions from 
47 agencies and led interagency dis- 
cussions to consolidate redundancies 
and provide consistency among like 
categories. Categories and subcatego- 
ries are defined in the CUI Registry. 

The Registry also includes citations for 
law, Federal regulation and govern- 
ment-wide policy that authorize control 
of each defined category and subcat- 
egory and, when fully developed, will 
serve as the primary source of direction 
for marking and handling CUI. 

Policy Development 

In FY 2013, the EA advanced the 
iterative policy development strategy 
launched in FY 2012, interspersing 
working group discussions, surveys 
and consolidation of current practices, 



1 Executive Order 13556 "Controlled Unclassified 
Information," dated November 4, 2010. 



initial drafting, informal agency com- 
ment, and EA comment adjudication 
for individual policy elements. This 
process has created a substantial body 
of internal research and analysis for 
incorporation into the program. 

Promoting full participation of all 
CUI stakeholders reiterated the chal- 
lenge of developing and coordinating 
a policy that addresses the broad spec- 
trum of information types identified 
as CUI, and the wide range of respon- 
sibility levels of potential designators 
and recipients of CUI (Federal, state, 
local, tribal, non-governmental). Some 
CUI users have comprehensive expe- 
rience with the concepts of protected 
information in a classified environ- 
ment; for others, the need to be aware 
of safeguarding and dissemination 
requirements for sensitive informa- 
tion is seldom a factor in day-to-day 
operations. A standardized methodol- 
ogy that permits maximum flexibility 
in application is being developed to 
service the widest range of both infor- 
mation and users. 

In May 2013, ISOO issued CUI Notice 
2013-01: Provisional Approval of CUI 
Categories and Subcategories, based 
on discussion with the Office of 
Management and Budget (OMB). This 
Notice establishes a process for the CUI 
EA to provisionally approve categories 
and/or subcategories for information 
types that reasonably require the 
protections of the CUI program but 
currently lack a statutory, regulatory, 
or Government-wide basis for control. 
Provisional approval will permit agen- 
cies to more efficiently and effectively 
plan for program implementation by 
allowing CUI planning activities to 
be performed in tandem with agency 
development of an enactment that 
meets the requirements of the Order. 

The CUI Advisory Council (the 
Council) was established in June 2013 
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to carry out the consultative functions 
directed by Executive Order 13556 
and to advise the CUI EA on the 
development and issuance of policy 
and implementation guidance for the 
CUI program. The Council is chaired 
by the Director of ISOO, and current 
membership is based on that of the 
Chief Financial Officers’ Council with 
representatives from 28 agencies; oth- 
ers attend by invitation. 

With formal input from the Council 
and Council-nominated subject matter 
experts, policy is being developed 
concurrently on multiple levels: 

1. Implementing directive to be 
incorporated into the Code of 



Federal Regulations (CFR) 
will include principles and 
guidelines applicable to all 
information and users; 

2. Supplemental Guidance, 
including, but not limited 
to, procedures, definitions 
and protocols for appropriate 
safeguarding, dissemination, 
marking, and decontrol of 
unclassified information; and 

3. Expansion of the CUI Registry 
to reflect additional authorized 
categories and subcategories, 
markings, designation authori- 
ties, specified CUI requirements 
and a glossary of terms. 



Implementation of the CUI 
program is being planned along a 
phased timeline, and will include 
responsibilities for both the EA 
and agencies. A target date for 
Initial Operating Capability (IOC), 
defined as the ability to recognize 
CUI and to receive CUI for physical 
safeguarding, will be established 
based upon publication of the CFR, 
and will be uniform across all 
agencies in the Executive branch. 
Full Operating Capability (FOC) 
will be achieved on an agency-by- 
agency basis, based on each agency 
completing all implementation tasks, 
including necessary information 
technology updates. 



CUI PHASED IMPLEMENTATION 
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The CUI EA is currently editing the 
draft implementing directive based on 
final informal agency comment and 
anticipates that it will enter the formal 
OMB-managed comment process 
in coming months. Based on CUI 
Advisory Council meetings, imple- 
mentation planning workshops, and 
consultation with OMB, the CUI EA 
will develop a National Implementation 
Plan that will include target dates for 
phased implementation. 

Training and Outreach 

To maintain timely communication 
with stakeholders, in April 2013, 

ISOO requested that agencies affirm 
or update their designation of a Senior 
Agency Official (SAO) responsible for 
the implementation of their respec- 
tive CUI program, and to designate 
a Program Manager (PM) to serve as 
their agency’s primary interface with 
ISOO in its role as the CUI EA. An 
overview and summary of the current 
state of the CUI program, tailored to 
these new SAOs and PMs, was pre- 
sented in July 2013. 

Also in July, ISOO conducted a spe- 
cialized workshop on CUI training to 
collaborate with impacted agencies, 
determine implementation work plan 
activities, and identify (phased imple- 
mentation) target dates for training. 
During the summer of 2013, the CUI 
EA requested information from stake- 
holders to serve as a planning aid for 
Executive branch-wide implementation. 
The data collected for training included 
identification of existing training 
programs and requirements, impacted 
personnel, target audiences, and 
requirements for future CUI implemen- 
tation across the Executive branch. 

As a follow-up to the FY 2012 issuance 
of Guidance Regarding CUI and the 
Freedom of Information Act, published 
jointly by the EA and the Office of 



Information Policy at the Department 
of Justice, in February 2013, ISOO 
issued Controlled Unclassified 
Information (CUI) and the Freedom 
of Information Act (FOIA), a comput- 
er-based training module clarifying 
the distinction between the CUI pro- 
gram and the FOIA. The training is 
designed for all Government employ- 
ees, and is particularly pertinent to 
those who will deal directly with CUI 
markings and designations as well as 
FOIA provisions and exemptions. 

The EA plans to develop and issue CUI 
baseline training based on final policy 
and guidance. In preparation, the EA 
will continue to assess agency train- 
ing requirements, including technical 
standards for implementation across 
the Executive branch. The EA will also 
continue to develop CUI awareness 
products and to provide training sup- 
port and consultation to agencies. 

The EA is encouraging agencies to 
continue planning their training 
efforts. All CUI training modules are 
publicly available on the CUI website 
for either direct access or download. 
Training source code is available to 
agencies to allow for mission-specific 
modification and implementation. 

In FY 2013, the CUI EA completed 
briefing SAOs and their staffs, from 
all the member departments of the 
President’s Cabinet. Based on their 
position in the Executive branch 
and influence over national policy, 
these stakeholders have the greatest 
potential to impact the overall imple- 
mentation of the CUI program. Their 
implementation of national programs 
and interaction with the rest of the 
Federal Government strongly influ- 
ence independent agencies and other 
organizations throughout the Executive 
branch. As an additional outreach 
effort, ISOO provides overviews and 
participates in panel discussions within 



the Federal government, with State, 
local, and private sector entities, and 
with public interest groups. 

CUI Registry and 
Website 

The online CUI Registry currently 
includes descriptions for 22 categories 
and 85 subcategories of unclassified 
information, supported by 314 unique 
control citations and 105 unique 
sanction citations in the United States 
Code, Code of Federal Regulations, 
and government-wide policies. All 
references were reconfirmed and 
updated based on annual updates 
to the United States Code, Code of 
Federal Regulations and review of gov- 
ernment-wide policy documents. 

As the repository for common defi- 
nitions, protocols and procedures 
for properly marking, safeguarding, 
disseminating and decontrolling 
unclassified information, based on law, 
regulation, and government-wide pol- 
icy, the CUI Registry is a cornerstone 
of the CUI program. ISOO led spe- 
cialized Registry workshops in which 
agencies were provided opportunities 
to submit input for potential consider- 
ation as additional Registry capability. 

In addition to the online CUI 
Registry, an active web presence 
provides updates, handouts, answers 
to frequently asked questions about 
the CUI program, an overview of 
governance structure, a listing of CUI 
Advisory Council members, CUI doc- 
uments, memoranda, and reports. 

The EA will continue to update the 
CUI Registry based on identifica- 
tion of unclassified information that 
requires protection based on law, 
regulations, and/or government-wide 
policies. It is anticipated that new cate- 
gories currently under discussion with 
the White House Office of Science 
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and Technology Policy and, separately, the 
Department of Defense, will be finalized in 
the coming months. 

Redesign of an expanded CUI Registry 
is underway, based on agency input and 
anticipated technology resources. This 
approach will be matured based on final 
policy and guidance. Providing clear and 
readily accessible direction will promote 
better protection and sharing of unclassified 
information both internally and externally. 

Information on the CUI program is avail- 
able online at http://www.archives.gov/cui. 
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